Issue with Two-Way File Filter on FortiGate 40F (v7.6.3) – Only Blocks Uploads

Forum|Forum|11 months ago
June 20, 2025
1 reply
591 views

I have configured a File Filter on a FortiGate 40F running FortiOS 7.6.3. The filter is applied to the LAN -> WAN policy and set to Both (two-way). However, the problem is that it only blocks files being uploaded from LAN to WAN, while downloads are not blocked.

Additionally, the antivirus on the same policy correctly blocks infected downloaded files, so the issue doesn’t seem to be with the policy or antivirus itself. I don’t want to create a WAN -> LAN policy because I don’t want external users to have access to the LAN network.

Also, I can’t find the PROXY feature in the configuration — it seems like it might have been removed or is unavailable in this version.

Does anyone know if this is expected behavior for the file filter in FortiOS 7.6.3? Am I missing some configuration to actually make it work two-way? Any advice would be much appreciated.

Best answer by atakannatak

Hi @PatrykINTERNET ,

On a FortiGate 40F running FortiOS 7.6.3, the File Filter profile can block uploads but not downloads because two-way inspection works only when the policy runs in proxy mode. Proxy mode—and every proxy-based feature—was removed from models with ≤ 2 GB RAM (40F/60F series) starting in FortiOS 7.4.4, so those units operate exclusively in flow mode.

https://docs.fortinet.com/document/fortigate/7.6.3/administration-guide/519079/proxy-related-features-not-supported-on-fortigate-2-gb-ram-models

Flow mode sees the filename in an HTTP POST (upload) and can act on it, but it cannot pause an HTTP response (download) to examine the file. Antivirus still scans downloads because its flow engine looks at the payload, but File Filter rules that rely on filename, MIME type, or true file type are upload-only on 2 GB models.

https://docs.fortinet.com/document/fortigate/7.6.3/administration-guide/984084/file-filter

Work-arounds:

Accept upload-only filtering and rely on antivirus for malware downloads.
Move the traffic to a FortiGate with ≥ 4 GB RAM (proxy mode available).
Add a FortiProxy or a larger FortiGate used as an explicit proxy in front of the 40F.

BR.

If my answer provided a solution for you, please mark the reply as solved it so that others can get it easily while searching for similar scenarios.

CCIE #68781

atakannatakAnswer

Explorer

Hi @PatrykINTERNET ,

On a FortiGate 40F running FortiOS 7.6.3, the File Filter profile can block uploads but not downloads because two-way inspection works only when the policy runs in proxy mode. Proxy mode—and every proxy-based feature—was removed from models with ≤ 2 GB RAM (40F/60F series) starting in FortiOS 7.4.4, so those units operate exclusively in flow mode.

https://docs.fortinet.com/document/fortigate/7.6.3/administration-guide/519079/proxy-related-features-not-supported-on-fortigate-2-gb-ram-models

Flow mode sees the filename in an HTTP POST (upload) and can act on it, but it cannot pause an HTTP response (download) to examine the file. Antivirus still scans downloads because its flow engine looks at the payload, but File Filter rules that rely on filename, MIME type, or true file type are upload-only on 2 GB models.

https://docs.fortinet.com/document/fortigate/7.6.3/administration-guide/984084/file-filter

Work-arounds:

Accept upload-only filtering and rely on antivirus for malware downloads.
Move the traffic to a FortiGate with ≥ 4 GB RAM (proxy mode available).
Add a FortiProxy or a larger FortiGate used as an explicit proxy in front of the 40F.

BR.

If my answer provided a solution for you, please mark the reply as solved it so that others can get it easily while searching for similar scenarios.

CCIE #68781

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded